Xls.Dropper.Agent-7144253-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 022a7aeea762db63…

MALICIOUS

Office (OLE)

327.2 KB First seen: 2020-02-04
MD5: 95ce609e27eaf36655c55d7a4345c8c6 SHA-1: 72c9590eafc1358b49dcb95b0d8da557a5a88418 SHA-256: 022a7aeea762db6376ff87ef8ac4f590c9a37879740e41c448d8825a7cce8ea6
350 Risk Score

Malware Insights

Xls.Dropper.Agent-7144253-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is identified as a malicious Excel dropper (Xls.Dropper.Agent-7144253-0) by ClamAV. Static analysis reveals an embedded PE executable and references to Windows API functions such as ShellExecute and LoadLibrary, indicating its purpose is to download and execute a secondary payload. The large slack space anomaly in the OLE structure further supports its suspicious nature.

Heuristics 9

  • ClamAV: Xls.Dropper.Agent-7144253-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7144253-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 335,018 bytes but its declared streams total only 43,269 bytes — 291,749 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/SMI/2005/WindowsSettings In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1271 bytes
SHA-256: 1393fb9c6c18f41eb0fa3c4533b46ef8e1670352e75321cc8504cd42cae698a3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView1, 1, 0, MSComctlLib, ListView"

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_0000f440.exe embedded-pe Office MZ+PE at offset 0xF440 272490 bytes
SHA-256: 25ba4ae6ad8df3607546f3c2b27e2c299d70a8e4d0779fbeb0234dad2d25372e
embedded_office_off0000be40.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xBE40 286314 bytes
SHA-256: 33acacf491d10b048d495528a58fbce5eea763304ec6894ba6583e4fc6a500a6

Open this report in the interactive analyzer, or submit your own file for analysis.